IntSights' Blog

Are Your Devops Servers Exposing Sensitive Information?

In recent years, DevOps, the culture and practice of automating and monitoring the development life cycle, has enabled delivering software increasingly faster and shortening the time to market. Many companies have transitioned to working in a CI/CD cycle, continuously releasing software on a daily, weekly, or bi-weekly basis to respond to customer needs more quickly and keep up with changing trends.

But this practice of DevOps has brought a multitude of security issues. New tools emerge frequently, each with their own security level and configuration, causing DevOps engineers to struggle keeping up with the different configuration and security guidelines coming down from management. This struggle eventually leads to security holes.

Moreover, the transition to cloud-based tools and operations increases an organization’s digital footprint, leaving more and more breadcrumbs for attackers to collect and utilize in an attack. Thousands of dollars are invested each year in the development lifecycle, but in the effort to keep up with speed and agility, security gets tossed aside - not from malice, just from oversight.

The Challenge with Protecting DevOps Servers

There are currently about 120 different tools and technologies in the DevOps landscape. Each of these tools has its own design, configurations, credentials, filters, API’s, protocols, and user lists. Some of them don’t even have basic authentication in place to access them. Managing even a fraction of these tools creates an extremely heavy burden on DevOps engineers to properly secure these various tools.

So what does this mean? Most openly accessible DevOps servers are simply due to oversight or user error, not a direct malware or hacking attack. Through our research, we gathered a list of 25,876 URLs of different DevOps tools and servers from various organizations. After analyzing these URLs, we found that 5967 out of the 25,876 that we tested were accessible from the web (23.06%).

Want to learn more about our research findings and methodology?

Why Protect Your DevOps Servers

In a typical cloud-based product development environment, there are at least six to seven tools being used. Each of these tools holds valuable company information, including source code, username lists, development server naming conventions, internal IPs and network structure. Obviously, when these servers are left exposed, it can pose a serious risk to a company’s assets.

This doesn’t even account for potential malware attacks against a DevOps database (for example, the CCleaner supply-chain attack). An attacker who searches a way into the company network doesn’t need to look too far -- these tools are accessible from the web, ripe for the taking.

How to Protect Your DevOps Servers

While open DevOps servers pose many risks to organizations, there are a number of steps you can take to better protect yourself.

1. Don’t Use DevOps Tool Names for Web-Facing Servers

As trivial as it might sound, when you’re choosing the name of your server, don’t use the real tool name, like Jenkins, Kibana, Trello, Jira, etc. It might make your life slightly less convenient, but it will make intelligence gathering a lot more difficult. A development server name under your domain name (Jenkins.example.com) will surely attract unwanted attention and will make a nice target for an attack. The same goes for obvious and interesting systems (Dev.* Staging.* QA.* DB.* etc.).

2. Enable Multi-Factor Authentication

A simple login page won’t stop hackers from getting to your data, and most DevOps tools don’t have built-in Multi-Factor Authentication. Using third-party plug-ins or third-party vendors will help you strengthen the login process to your DevOps servers and protect your company data.

3. Use a Proxy Server

Instead of giving direct access from the web to your development servers, add a proxy server for users to connect, and from there, route the traffic to your development servers. The proxy can be combined with another layer of authentication (more secure) or left as is for production needs, but it will still be a gateway to your servers and will help in monitoring traffic and in hiding your servers from the public eye.

Conclusion

Security teams aren’t always involved in the setup and management of DevOps servers, which can pose a massive security risk. Proper setup and configuration of DevOps servers is critical to protecting company data, and when not setup and managed properly, creates an easy target for hackers. Make sure your organization is not exposing itself to attack by incorrectly configuring DevOps servers.

Ariel Ainhoren is a Security Researcher at IntSights, focused on discovering new cyber trends, threats, hacker strategies and vulnerabilities. He is a seasoned security professional with over 8 years of experience in the cyber industry, with expertise in computer forensics, malicious programs, vulnerability management and Microsoft Products. Ariel enjoys solving cyber puzzles, preferably byte by byte.

Revolutionizing cybersecurity with the first of its kind enterprise threat intelligence and mitigation platform that drives proactive defense by turning tailored threat intelligence into automated security action.